Apple Patches Actively Exploited Zero-Day in CoreMedia Framework

What happened: Apple released security updates across its entire product lineup to address CVE-2025-24085, a use-after-free vulnerability in the CoreMedia framework. Apple acknowledged that the vulnerability may have been actively exploited against versions of iOS before iOS 17.2, indicating it was used in targeted attacks against specific individuals.

Technical details: CVE-2025-24085 is a use-after-free memory corruption vulnerability in CoreMedia, the framework responsible for media playback across Apple's operating systems. The flaw allows a malicious application to elevate its privileges, potentially gaining kernel-level access. The vulnerability was fixed in iOS 18.3, iPadOS 18.3, macOS Sequoia 15.3, watchOS 11.3, visionOS 2.3, and tvOS 18.3 through improved memory management.

Who is affected: Users of Apple devices running older operating system versions, particularly those on iOS versions prior to 17.2. The targeted nature of the exploitation suggests it was likely used against high-value individuals such as journalists, activists, or government officials, consistent with the pattern of commercial spyware operations.

What defenders should do: Update all Apple devices to the latest operating system versions immediately. Organizations with mobile device management (MDM) solutions should push the updates to managed devices. Review device logs for indicators of compromise associated with privilege escalation from media processing components.

Broader implications: This marks Apple's first actively exploited zero-day of 2025 and continues the trend of sophisticated threat actors targeting Apple's media handling frameworks. The acknowledgement that exploitation occurred against older versions suggests this vulnerability may have been in use by surveillance vendors for an extended period before discovery.